FeehiCMS index.php createBanner unrestricted upload
Description
A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img] leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FeehiCMS up to 2.1.1 has a critical unrestricted file upload vulnerability in the banner creation endpoint, allowing remote code execution.
Vulnerability
Description
CVE-2024-8295 is a critical vulnerability in FeehiCMS up to version 2.1.1, reported as publicly disclosed. The issue resides in the /admin/index.php?r=banner%2Fbanner-create endpoint, specifically within the createBanner function. By manipulating the BannerForm[img] argument, an attacker can upload arbitrary files without restriction, enabling code execution on the server [1].
Exploitation
The attack is initiated remotely and does not require authentication, as the vulnerable endpoint is accessible to any user. The lack of validation on the uploaded file type or content allows an attacker to upload a PHP web shell or other malicious files. Since FeehiCMS is based on the Yii2 framework and runs on PHP, the uploaded file can be executed directly, leading to full compromise [2]. The exploit has been publicly released, increasing the risk of widespread attacks.
Impact
An attacker can upload arbitrary files, including PHP shells, to the web server. This can lead to remote code execution, data theft, privilege escalation, and full server takeover. The vulnerability is classified as critical due to the minimal attack complexity and severe impact [1].
Mitigation
As of the publication date, the vendor has not responded nor released a patch. Users are advised to immediately restrict access to the admin panel, implement file upload validation via web server configuration, and consider migrating to an alternative CMS if no update becomes available. The vulnerability's public disclosure and lack of vendor response raise significant risk [1][2].
Note: The vendor's GitHub repository shows no activity addressing this issue [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
feehi/cmsPackagist | <= 2.1.1 | — |
Affected products
2- FeehiCMS/FeehiCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- gitee.com/A0kooo/cve_article/blob/master/feehi_cms/file_upload2/Fichkems%20banner%20file%20upload%20vulnerability.mdghsaexploitWEB
- github.com/advisories/GHSA-3wrg-6mg5-jg2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8295ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.